It's an ordinary Java applet, with all the rights and controls of every other Java applet, except this applet was a pen-tester written by TrustedSec, then found by "researchers" from F-Secure. It downloads a file specific to the OS it's running on and.... ...no more information from F-Sec

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of/home right? So what is the problem with restoring it. Losing/home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

~ or %HomePath% is where people keep their documents - including things such as, say, filled out tax returns, and other things that have tons of personally identifying information in them that is quite valuable for the kind of people that tend to run malware. Also, a lot of people either use webmail with saved password (or "stay logged in"), or a mail client configured to fetch everything by default with no password prompt, which again makes the contents of your emails directly accessible to any malware ru

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of/home right? So what is the problem with restoring it. Losing/home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

OK, now let's look at what I said and what you said.

Me: Most of what is actually important to you is accessible from userlandYou: There's a meme right now about how the only important files to the user are in the user's own directory

See the difference?

What I was pointing out is that malware can do most of what it needs to do these days without ever leaving userland. For those tasks like setting up a rootkit, hosts poisoning, cross-user spreading, etc. that DO require more privileges (but which are a small

The sad part is the BSD guys would write them a thank you note for bothering to remember them.

So can we ALL just accept now there is no "Magical OS" that makes one immune from malware please? All OSes are EXTREMELY complex piles of code, having to support tens of thousands of drivers, scheduling and tasking, hell I doubt even Linus can tell you when you launch program Foo every single interaction that is taking place in the system, there is simply more there than any one person can know.

Now that the retard that made XP run by default as admin has been sent packing on the short bus all three major OSes have limited users, hell Windows even has the browser run as a low rights entity to help lower the risk. Now that all three major OSes have common sense defaults ultimately it all comes down to the USER and whether they will take the time to actually think or will simply allow anything to run. I've seen it a billion times in the shop, a fully patched and AVed machine get infected NOT because of the OS but because it was the USER that refused to listen to the warnings being given him/her and choosing instead to run it anyway.

At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run. i think we can all agree having some corporation own our machines would be a BAD thing so all we can do is warn users, try to make ever hardened systems, and be ready to clean up the messes when they happen. After Android became a hit it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here and I for one will be interested to see how the community reacts.

And that exact same advice frankly works just as well on Windows but if the user doesn't follow it you are screwed.

Ultimately there is only so much you can do technically against the dancing bunny problem [codinghorror.com] because if the user WANTS to see the bunnies, and you try to stop the user from getting to the bunnies? they will happily thwart any and ALL security measures you put in their way to see the bunnies. Again I've seen this with my very own two eyes, i even had to throw a guy out of the shop once when he rem

I wasn't talking about javascript. He was talking directly about this attack. Disabling Java not Javascript is what would stop it. I just double checked BofA as well. It worked fine with Java and Flash disabled. It is pretty stupid it won't without javascript though. The only thing I can think of is maybe to try and stop bots, but even that is dumb. It's trivial to embed webkit, use the webbrowser object, etc to parse js.

Then don't visit that site. I run noscript on my Windows and Linux desktops, sites that refuse to play nice, don't get my traffic. If more people would stop visiting these sites, their ad revenue will start to be impacted. Once you hurt their bottom line, they will start to wonder why and may stumble across a post like this one and they may get the point.

Then again, they were stupid enough to do this int he first place... Their response might be "WE NEEDS MOAR ADS FOR TEH MONAYS SO I CAN BUY A NEW BENZ!!!"

it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here

Perhaps.

But being in the crosshairs isn't the same as being hit. I haven't seen any evidence this "exploit" actually works on Linux.

For a start, there's only this one article with almost no real information, repeated all over the web. There are no Linux screenshots, and all I can glean from the text is that the malware is actually an open-source pen-testing tool called the Social-Engineer Toolkit (SET), which has always included the Linux compatibility code. In fact, it's no different from any other self-si

"At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run."

That is exactly what I had to do for my parents. I created four non-admin accounts:

1 - Games (this is for my mom to play online games)2 - Mom (This is the account my mom uses for email (whitelisted), and dumping pics, etc). This account has no access to a web browser.3 - Dad (ditto for this account).4 - B

I do something similar for my customers, I always make them a low rights account for any friends/kids/etc that come over and when the owner is in their account while i can't lock them down as well as you can I give them Comodo Dragon with ABP, since Dragon runs in low rights mode, and on top of that I give them Comodo CIS AV which has sandboxing and scan before load on web pages. Both are free and since doing so my customers getting nasty bugs has frankly dropped right off the chart. You'd be surprised how

Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".

Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".

Because! Damnit. Though I would argue more for spelling proper nouns as the originator would spell them (assuming the phonetics work out -- and the alphabet, but transliteration is a whole different ballgame) since, ya know, it's their name an' all.

You're right, the Java programming language is not a security threat to computers in general. The Java Runtime Environment, and its various browser implementations, however, is definitely a threat. Just like PDF documents are not a threat, but Acrobat Reader is definitely a threat. See here [net-security.org] for proof (spoiler: Java was the #1 infection vector, at 37%; Acrobat #2 at 32%).

Your link exposes that the browsers and the Java Deployment Toolkit appear to be the culprits, not the JRE itself.

The study specifically calls out the "Java JRE" (that's right, the Java Java Runtime Environment) as the vector for 37% of Windows infections. But I do see that in the partial list of vulnerabilities that some of the ones related to Java (but not all of them) call out the Java DT. As far as browsers go, the only browser listed as an infection vector is IE, and it was only responsible for 10% of infections. 85% of the infections were the "drive-by" variety exploiting JRE, Acrobat, or Flash.

PDFs, IIRC, just recently were a threat in and of themselves. But that's neither here nor there.

Just like the Spanish Inquisition, the list of weapons you see in that study is "amongst" all of their weapons. That's not a complete list of exploits. They claim to have looked at 50 exploit kits. I believe that Metasploit alone contains a database of around 800 exploits. According to Secunia, JRE 1.6.x contains 274 vulnerabilities and 1.7.x contains 53.

Exactly how Java ends up executing the malicious code isn't really relevant to end users. I don't have any parts of Java installed because I don't trust that it's going to be secure. I don't care enough about Java to go digging through the individual bits and pieces to identify which things are safer to install. It doesn't matter to me whether the DT is at fault, or the JRE, or J2EE or JDK or whatever else, I don't care. What I care about is avoiding infections, and since Java plays a part in 37% of inf

Well, since browsers are responsible for 100% of the infections listed, I expect you don't have them installed, either? And since Windows was also 100% responsible for infections, you don't have that either? For that matter, what are you doing on the internet? It is responsible for 100% of those infections!!!

Don't be obtuse. IE was only responsible for 10% of infections, and I don't use it. Windows help files were the vector less than 5% of the time, and I assume IE was used there as well, because my browser wouldn't automatically launch a Windows help file.

I think you may need to revisit your assumptions

Maybe you misunderstood me. When I referred to "my browser", I was not referring to IE. I don't use IE for the same reason I don't install Java or Acrobat Reader. That's 79% of infections that won't succeed on my machine after very little (or no) effort

I'm not being obtuse. You are berating a product for the flaws of a single component that resembles an appendix that 99% of Java users never encounter nor care about.

OK. Since you're the resident Java security expert, then let me ask you a question. Since Java is responsible for 37% of infections to Windows, and since the study specifically calls out the JRE, but you claim that the JRE is not the problem, then answer these two questions: which component is the problem, and why do end users care which component is the problem? The fact remains - Java is the #1 infection vector. You can claim that 99% of users never "encounter" the faulty components, but that leaves a

At least that one's done. So you agree the problem is not the JRE, but the plugins/plugin framework.

The problem is that all of the components that people exploit are installed and enabled by default in the download package that Oracle labels the JRE (which is why the report specifically blames "Java JRE").

It's Windows that's the single largest vector for infection.

No, Windows is the target. Java is the hole that attackers go through to get there.

The fact that other systems run fine with Java really points out this glaring omission on MS's part.

OK, then let me ask you a question. Why do you think it's true that Java is used as the infection vector 37% of the time, while Flash is used 16%? Or that IE is used at only 10%? When a Windows machine gets infected, w

JRE versions 1.4, 1.5 and 1.6 all have over 260 vulnerabilities listed on Secunia. Each one has more than the last 3 versions of Flash Player and more than any version of IE other than IE 6 which only has about 2 dozen more vulnerabilities. On the other hand if you look at something like.NET there are an average of maybe 40 vulnerabilities for each major version.

It's not FUD. The JRE is one of the most vulnerable and exoitable pieces of software on a machine. If you don't believe me see Secunia for the number of vulnerabilities per version. It averages to nearly 200 per major version which is more than the average of the last 3 major versions of Flash Player.

Oh noze... a web exploit for Linux! That asks you if you want to install it from within your web web browser. Yeah, your average Linux user will surely fall for that, even though it's not how we ever install software. Does it even work on Linux? The article had no screenshots of it running there, nor what version of Java (if any) it exploits.

Because of course all of your personal infromation is stored under your non-user account? Err... nope. Identity theft is far more useful these days than simply trying to own your machine. Who cares about owning the machine when they can own your personal data?

See that red color ? "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."

You can see at a glance that most of these vulnerabilities require javascript. As the GP said, the smug Linux user has probably disabled Javascript from random sites. If not, they have no business being smug.

Well, at least they made it run on Linux. Most software writers just don't bother to put in that kind of effort. Must be one classy virus writing operation over there to not leave any of the major OSes out lol.

Quoted:
"Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

Rosetta not supported on Lion and not installed by default in Snow Leopard.

So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:/**
* Original Author: Thomas Werth
* Modifications By: Dave Kennedy, Kevin Mitnick
* This is a universal Applet which determintes Running OS
*...

The exploit isn't determining which OS they are running. The dropper determines the OS and then delivers the payload for that OS. The exploit in the payload may be new, or it may be exploiting unpatched JREs.

well the greater concern is what the virus is and intends to do. Something doesn't need a root password to say, run an individual keylogger for what that user types, ftp that log file in addition to everything in ~/Documents to a server in sealand, or whatever. If just ruining someones day is the goal rm -rf ~ would pretty much be the kiss of death. Linux's greater strength in the more robust, harder to break root privileges compared to windows, actually doesn't really come into play until linux hits a poin

There is a way with a browser identification script on the server side, to then realize a redirect based on the type of browser....that would be a very mundane thing for any adept web developer to do.... in any language.

The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.

That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.

That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).

Macs do indeed run apple's version of java... If you have jumped through the hoops of clicking the "disabled plugin" button that replaces the applet, then typing in your password. Macs absolutely do not have to be running rosetta (a tech that doesn't even exist any more) to get infected, as neither Java, nor the binary delivered is a PPC binary.

Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet.

With OS X Lion, Apple stopped shipping Java with OS X. And with the latest revision, the ability to run Applets or Java Web Start is disabled by default, and has to be explicitly enabled (and even then will self-disable if you don't use it for some time).

So to amend your statement, Macs run Apple's version of Java -- if you've tried to run something written in Java, responded to the resulting pop-up that you'd like to download and install Java, entered an Admin password (or username and password if you're

... and on up-to-date systems there won't be any known privilege escalation exploits.

Think again. An attacker following the kernel source tree will be able to figure out when exploitable bugs are being patched. While such bugs/fixes are generally not called out as security fixes at that time, they are nevertheless identifiable given a small investment.

And for many distros it takes weeks (sometimes months) for the fixes to come through to the "consumer". During that time (dubbed "high-risk days" by some researchers) the vulnerability information is in the open but systems have not yet been p

I remember when the slammer worm came out. We were all excited that we were finally going to be able to see a real piece of malware on linux. We opened up the apropriate port to a number of test machies to try and get inffected so we could disassemble it. Within a couple of hours there was a patch available for Linux. Every one upgraded (patch fast patch often) and it died out before we could get infected. Open source software is a horrible platform to attack because there are hordes of people who can provi

I had a friend that did a demonstration of just that. He built an exploit while he was up there doing the talk. It took a couple hours, but when he was done he had a functional 0day. Believe it or not people actually do what he's describing. If the good guys are doing it for pentesting I'd guess the bad guys are doing it as well.

You mean like the Linux kernel dev who had a trojan installed on his system and subsequently got kernel.org rooted by getting the trojan on two of the servers? Yeah, geeks never get malware on their systems. *rolls eyes*

Get up, go to the bathroom, go to a stall, take off your underwear, wipe yourself off, put pants back on without your underwear, get out of the stall, throw away your soiled underwear and get back to work.